Thursday, May 26, 2016

How to fail at mobile user experience

Some posts I write because I am curious, and some to share a project I have worked on, or a security risk to be aware of. And then there are posts like this, written out of sheer annoyance.

It began with a simple link to a news article, shared by a fellow Central Texas security pro:

At first glance, I thought the article pertained to a story I have been following (and have written about) - a series of coordinated ATM heists over the past few years, involving large numbers of stolen payment cards and large numbers of hired hands, stealing millions of dollars from thousands of ATMs at once.

Alas, I could not read the story.

Clicking the link in Twitter's client for my Android phone did not open the story on the ABC web site. Instead, the link opened Google Play Store, asking me to install the ABC News mobile app.

Monday, May 23, 2016

Coordinated heist steals $12.7 million from 1,400 ATMs in Japan

"Automatic teller machine trailer" by Thilo Parg, used under license CC BY-SA 3.0

This is a bit more sophisticated than the run-of-the-mill ‪heist. On May 15, an as-yet unidentified crime ring pulled off the theft of the equivalent of $12.7 million USD, using 1600 stolen payment cards at 1400 Japanese ATMs, all in the span of 2 hours.

This is not the first coordinated attack against ATMs. A similar heist in 2011 used prepaid cards from a Florida bank to withdraw some $13 million USD from ATMs across Europe. Then, in February 2013, yet another crime organization pulled off the theft of over $40 million USD from ATMs around the world in a coordinated attack lasting 10 hours.

The details of the most recent attack are a little bit unclear to me - I suspect something may be lost in translation. The original story says the attack used cloned credit cards stolen from South Africa, but ‪ATM‬ withdrawals require PIN transactions, which typically means debit or ATM cards. Regardless, there are a few things you can do to protect yourself.

  • Avoid the use of debit / ATM cards as much as possible. A debit or ATM card is directly connected to your ‪bank account, while a credit card is using the bank's money until you pay the bill at the end of the month.
  • When withdrawing cash from an ATM, if you have a choice, favor an ATM indoors at a brick-and-mortar bank. Brian Krebs has done some enlightening research into ATM ‪skimmers, including a fascinating series on a particular ATM fraud method in Mexico. ATMs in public places (shopping centers, hotels, convenience stores, event venues) are prime targets for crooks to steal card data.

    It takes only a few seconds to insert a skimmer - a physical device that copies the card information when you insert a card into the machine.  More sophisticated attacks will place the skimmer inside the machine, or install malware on the machine so the machine itself will copy the card data and send it to the attacker. ATMs inside legitimate banks are less likely to be compromised, simply because there is greater risk to the criminal.
  • Set up transaction alerts with your bank. Your bank will send you an email or SMS/text message, generally for transactions over a set dollar amount. While this does not prevent the fraud from happening, the sooner you know about it and report it to your bank, the sooner the fraudulent transactions can be reversed.

Wednesday, May 18, 2016

Rumor mill: LinkedIn password breach

Update May 18 10:00 CDT: LinkedIn has confirmed that the password dump is real, but that it originated from the 2012 data breach. The social media site is notifying affected users and requiring a password change for anyone who had an account in 2012, and has not changed their password since.

The rumor mill has it that some 170 million LinkedIn username and passwords are available on the black market, offered for sale to anyone willing to pay the equivalent of a few thousand dollars US.

Several investigators that I trust have suggested it is likely true - but also likely old news. LinkedIn confirmed a data breach in 2012 involving usernames and passwords, though on a much smaller scale. The most reliable sources I have suggest that these 170 million passwords are in fact from the 2012 breach.

If you haven't changed your LinkedIn password since 2012, do so now. We know there was a confirmed breach at that time. 

Even if you have changed your password since then, it can't hurt to change it again. It takes about 30 seconds, and it renders the rumored password dump useless against you, whether or not it contains your actual password. LinkedIn provides simple instructions for changing your password.

As an additional step, consider enabling multifactor authentication for your LinkedIn account. With multifactor authentication enabled, you add your phone number to your LinkedIn account. LinkedIn will send a one-time-use code to you via SMS (text message) anytime a login request comes from a device you have not logged in from before. As I have written before, phone-based multifactor is possible to defeat - but it is far stronger than just a password.

Your LinkedIn profile is an extension of your professional identity; a stolen password could allow someone to embarrass you. Possibly worse, with access to your LinkedIn account, an attacker could reach out to your connections to abuse their trust in you. Your connections would assume the attacker was in fact you. For that reason, social media accounts should be well protected.

Wednesday, May 11, 2016

SIM swap fraud targets SMS-based two-factor authentication

Security is a constant cat-and-mouse game between developers/defenders and criminals. I and others have long recommended "two-factor authentication" for any sensitive accounts (email, banks) - you must enter both a password and a code generated either by a mobile app or sent to you via SMS/text message. It is a significant hurdle for crooks.

This method of security is becoming common enough for criminals to come up with ways to defeat it. One such method seen lately in the UK is a so-called "SIM swap" - the crook gains enough information to impersonate you, then calls your mobile carrier to claim your phone has been stolen. Your phone number is re-activated, but on the crook's phone - so the crook now receives the SMS or text codes meant for you.

Multi-factor authentication that uses a mobile app (or a separate token generator) is stronger security, but if SMS is what your bank offers, I still recommend enabling it. It's still far better than just a password.

What you should do

  • Enable any two-factor or multi-factor feature provided by your bank. A hardware token (a physical device generally about the size of a USB flash drive) is the strongest solution, though it's probably not practical to carry token generators for every important account. A mobile app (Google Authenticator and Duo Mobile are popular options) is the next best thing, and even an SMS or text message code still raises the bar that a criminal must overcome. is a great website with links to "how-to" documentation at many, many banks and service providers.
  • Be mindful of the personal information you share publicly. The more a criminal can learn about you (address, current location, date of birth, email addresses, children's names, payment card numbers, bank account numbers, etc.), the easier he or she can impersonate you to a service provider. If the identity thief can convince tech support that they are you, then for all intents and purposes, to that service provider they are you.

Friday, May 6, 2016

Email hacks, cute pet scams, and payroll fraud - the week in review

Here is a recap of some more notable cyber security stories this week, along with short and simple things you can do.

270 million email accounts hacked!

The story: many news outlets are reporting that a Russian hacker stole passwords to over 270 million GMail, Yahoo! Mail, Hotmail, and email accounts. The origin of the story is a company with a dubious track record, known for making a big deal out of questionable information. Most likely, the hacker does have 270 million passwords - but not necessarily accurate, current, or associated with email accounts. This seems to be a repackaging of a story from the same source 2 years ago - at that time claiming a billion passwords. In reality, these passwords came from many smaller breaches, over a period of many years, and many were not even to email accounts. Instead, perhaps a news website was compromised and the attacker stole the email address and password used to log in; the attacker makes an assumption that you used the same password for your email account as you used for the news website.

What you should do: Don't panic. Do change your email account passwords just to be safe. Do use unique and long passwords for every account (or at least for any important accounts). Do set up two-factor authentication (which requires a code sent to you via SMS/text message, or an authentication app on your phone, to log in from any new location) for your email accounts.

Read this post for more password advice.

Fraudsters steal tax, salary data from ADP!

The story: ADP provides payroll and benefits services for over a half million businesses. Cyber crime investigator Brian Krebs wrote of an incident affecting some ADP clients. Client companies have the option of either pre-creating accounts for every employee, or of having employees create accounts themselves. In the latter case, the employee provides some information that presumably only the actual employee would know (social security number, date of birth, and a code provided by the employer). In some cases, employers evidently posted the company-specific code on a public website to make it easy for employees to sign up; if an attacker were able to obtain someone's social security number and date of birth, they could then create an account pretending to be that employee, and access all of the tax and salary information ADP holds for that employee - useful for tax return fraud among other schemes.

What you should do: This only affects ADP client companies that require their employees to sign up for online payroll and benefits services. The simplest defense is to create your online account with your payroll service immediately upon starting a new job - if you do it first, a hacker cannot pretend to be you.

10 year old kid gets $10,000 for hacking Instagram!

The story: this is actually a great positive story. Facebook awarded a 10-year-old Finnish student with the equivalent of $10,000 USD for finding and reporting a flaw in Instagram (which Facebook owns). Under the flaw, a hacker could delete any other people's comments. Thanks to this young researcher, Facebook fixed the flaw so it cannot be exploited by those with nefarious intention. I've seen other companies disqualify bug bounty reports from underage submitters. Kudos to Facebook for giving young ones incentive to not go to the Dark Side!

What you should do: Nothing! The flaw has already been fixed by Facebook.

Wi-Fi network named "mobile detonation device" freaks out passengers!

The story: Passengers on an Australian airline turned on their wireless devices to connect to the in-flight movie system, and freaked when they saw a hotspot named "mobile detonation device." The airline quickly ushered passengers off the plane while they investigated. As far as has been stated publicly, the device advertising that name was never identified, and eventually the flight did go on.

What you should do: How about not naming your mobile phone wi-fi hotspot something that will cause panic and possibly get you arrested?

Cute puppies and kittens lead to online scams!

The story: UK fraud and cyber crime reporting center ActionFraud writes of an increase in pets offered for sale through online auction websites. Often, the animal comes with a sad story about how it is in a faraway location and needs a new home, along with transportation to that new home. The unsuspecting buyer wins the auction, pays for the animal, and then is asked to pay more vet, boarding, or transportation fees. The buyer though never actually gets the animal - the pet for sale is usually merely a picture taken off a public social media post, of a happily homed pet.

What you should do: Don't buy a pet through an online auction. Your local animal rescue or SPCA no doubt has plenty of sweet animals looking for new homes.

Thousands of WordPress blogs redirect readers to malware!

The story: Security research firm Sucuri found a clever malware campaign that exploits WordPress blog sites whose operators haven't paid attention to security updates. The attackers compromise the blog sites, and add a piece of code that randomly redirects some but not all users to a website controlled by the attacker. If you are one of the unlucky few, the attacker's website attempts to trick you into downloading a fake software update that is actually malware.

What you should do: Two things. First, if a website asks you to install a software update, be very skeptical. Most modern software will automatically update in the background, and may display a notice in your system tray; a website popup with a software update is usually fake. Second, I am a huge fan of OpenDNS, a service that simply doesn't let your browser go to known bad sites. Read this post for a simple, step-by-step guide to setting up OpenDNS. It's not as hard as you think.

Tuesday, May 3, 2016

A devilishly simple phish

A diabolically simple phish, the message claims an error prevented from the message from loading, and you must click the link to see the real message.

I've had this post half-written for a couple of months, and in the interim received two more phishing emails following the same pattern. Over the weekend, a peer in the security industry mentioned he had received a phishing scam that followed this pattern but in a more carefully-crafted package tailored to look like an important message from the president of his actual homeowners' association. @GRC_Ninja has a great write-up of that particular event, with some sage advice from an employer's perspective. What follows is my advice from a consumer perspective, and then a dive into the weeds.

Some phishing approaches are carefully crafted, highly targeted, and nigh impossible to recognize as evil. Some phishing approaches are ridiculously lame and downright silly. And then there is this, from the email account of someone I do know and correspond with. Devilishly simple, and yet entirely believable, who wouldn't click on the link to see what the actual message is?

The email appears to be something that Yahoo! Mail could not display in the normal reader window, and which you must open into its own window in order to read. The "error message" at the bottom lends credibility to the scam. Those with digital rights management on their business email might even be used to messages that cannot render in the standard email reader.

Despite appearances though, this is a fake, a fake for which the three best defenses are 

  1. A password manager such as LastPass or 1Password that recognizes website domains and will not enter your password into a fake login screen; 
  2. Two-factor authentication such that if a scammer does get your password, they still cannot log in without also having your device; and
  3. A DNS resolver such as OpenDNS, that recognizes scam domains and prevents your browser from going there.